Security Researchers Uncover New LockBit Ransomware Targets
▼ Summary
– The LockBit ransomware group has returned with new victims emerging since late summer 2025, following a disruption by law enforcement in early 2024.
– Check Point identified at least a dozen organizations hit by LockBit attacks in September 2025, using both the new 5.0 variant and the older 3.0 version.
– LockBit 5.0 introduces significant updates including multi-platform support, enhanced anti-analysis mechanisms, and randomized file extensions to improve efficiency and stealth.
– The group announced its return on underground forums, calling for new affiliates who must pay $500 in Bitcoin for access to tools and a revamped control panel.
– Attacks have affected organizations across Western Europe, the Americas, and Asia, targeting both Windows and Linux systems, indicating the reactivation of LockBit’s infrastructure and affiliate network.
Following months of speculation about a potential resurgence, the LockBit ransomware group has officially resumed operations, with new victims appearing since late summer 2025. Security analysts from Check Point Research have confirmed at least a dozen organizations fell prey to LockBit-branded ransomware attacks during September 2025.
A detailed report released on October 23 indicates that half of these victims were compromised using the new LockBit 5.0 variant, while the remaining attacks employed version 3.0, commonly referred to as LockBit Black. The builder tools for LockBit 3.0 became publicly available after a 2022 leak, enabling cybercriminals unaffiliated with the core group to launch their own attacks. This confirmed activity marks a significant re-emergence, occurring more than a year after the LockBit operation was disrupted by Operation Cronos, a coordinated international law enforcement action that dismantled critical parts of the group’s infrastructure in early 2024.
The incidents investigated by Check Point span multiple continents, including Western Europe, the Americas, and Asia. Both Windows and Linux systems were impacted, which researchers interpret as clear evidence that LockBit’s infrastructure and affiliate network are fully operational again.
At the start of September, LockBit publicly announced its comeback on underground forums, introducing LockBit 5.0 to commemorate the group’s sixth anniversary and actively recruiting new affiliates. Referred to internally as ‘ChuongDong,’ this latest version represents a major advancement in the group’s encryptor technology, according to an earlier Check Point analysis.
LockBit 5.0 incorporates several important upgrades aimed at boosting efficiency, security, and stealth. These enhancements include multi-platform compatibility with new builds for Windows, Linux, and ESXi systems, along with sophisticated anti-analysis mechanisms designed to hinder forensic examination. The ransomware also features optimized routines that shorten the time available for defenders to respond, and it appends randomized 16-character file extensions to help evade detection by security software.
The group has also modernized its affiliate panel, now offering a more streamlined management interface with individualized login credentials. Prospective affiliates must make a Bitcoin deposit of approximately $500 to gain access to the control panel and encryptors, a strategy intended to preserve exclusivity and screen participants. Updated ransom notes now explicitly identify the attack as LockBit 5.0 and include personalized negotiation links, giving victims a 30-day window to comply before any stolen data is released publicly.
(Source: InfoSecurity Magazine)
